SSH Permission denied (publickey).

[Andrew Fu]

I'm trying to ssh into a google cloud instance "ajc2" that I was given owner access to. This is the command that I am using: gcloud compute --project "clear-mountain-94802" ssh --zone "us-central1-c" "ajc2" --ssh-flag="-vvv"

I have already run through "gcloud init" and "gcloud auth login" successfully. 

It looks like the ssh keys were generated successfully and my .ssh folder has permissions set to 700. All files inside the folder have permissions at least 600 or higher. I'm not sure why I'm getting the error Permission denied (publickey). Does anyone have insight into this?

Below is the printout using --sshflag="-vvv"

andrewfu:fwdrestartingvnc andrewfu$ pwd

/Users/andrewfu/Downloads/fwdrestartingvnc

andrewfu:fwdrestartingvnc andrewfu$ gcloud compute --project "clear-mountain-94802" ssh --zone "us-central1-c" "ajc2" --ssh-flag="-vvv"

OpenSSH_7.6p1, LibreSSL 2.6.2

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 48: Applying options for *

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 35.232.179.72 port 22.

debug1: Connection established.

debug1: identity file /Users/andrewfu/.ssh/google_compute_engine type 0

debug1: key_load_public: No such file or directory

debug1: identity file /Users/andrewfu/.ssh/google_compute_engine-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.6

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8

debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000

debug3: fd 5 is O_NONBLOCK

debug1: Authenticating to 35.232.179.72:22 as 'andrewfu'

debug1: using hostkeyalias: compute.638568653107616640

debug3: hostkeys_foreach: reading file "/Users/andrewfu/.ssh/google_compute_known_hosts"

debug3: record_hostkey: found key type ECDSA in file /Users/andrewfu/.ssh/google_compute_known_hosts:1

debug3: load_hostkeys: loaded 1 keys from compute.638568653107616640

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed2551...@openssh.com,ssh-rsa-...@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes25...@openssh.com

debug2: ciphers stoc: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes25...@openssh.com

debug2: MACs ctos: umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-s...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-s...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zl...@openssh.com,zlib

debug2: compression stoc: none,zl...@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: MACs ctos: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zl...@openssh.com

debug2: compression stoc: none,zl...@openssh.com

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: curve255...@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none

debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gO6j1NcV2hOFWMbe+JguVd3iqqV2c2Loo7CD+B4LgJU

debug1: using hostkeyalias: compute.638568653107616640

debug3: hostkeys_foreach: reading file "/Users/andrewfu/.ssh/google_compute_known_hosts"

debug3: record_hostkey: found key type ECDSA in file /Users/andrewfu/.ssh/google_compute_known_hosts:1

debug3: load_hostkeys: loaded 1 keys from compute.638568653107616640

debug1: Host 'compute.638568653107616640' is known and matches the ECDSA host key.

debug1: Found key in /Users/andrewfu/.ssh/google_compute_known_hosts:1

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug2: key: /Users/andrewfu/.ssh/google_compute_engine (0x7ff9f540e110), explicit

debug3: send packet: type 5

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering public key: RSA SHA256:W0uL2eaHbndzPnMB070+ZzPHHLDY2v4pgtnPRXHlpc0 /Users/andrewfu/.ssh/google_compute_engine

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

andr...@35.232.179.72: Permission denied (publickey).

ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

[AsifT (Google Cloud Support)]

"Permission denied (publickey)" means it is unable to validate the public key for the username. This can be caused by either the public key not being found or not matching for the username. This guide talks about controlling access to Linux instances.

The 'compute ssh' command is specifying a project, so make sure "Block project-wide SSH keys" is not enabled.

Removing SSH keys for the user from GCP console and letting 'compute ssh' command recreate the keys helps in such cases mostly.

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384...@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384...@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-...@openssh.com,ssh-rsa-...@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256...@openssh.com

debug2: ciphers stoc: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256...@openssh.com

debug2: MACs ctos: umac-...@openssh.com,umac-128...@openssh.com,hmac-sha2-256...@openssh.com,hmac-sha2-512...@openssh.com,hmac-sha1-e...@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-...@openssh.com,umac-128...@openssh.com,hmac-sha2-256...@openssh.com,hmac-sha2-512...@openssh.com,hmac-sha1-e...@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zl...@openssh.com,zlib

debug2: compression stoc: none,zl...@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: MACs ctos: hmac-m...@openssh.com,hmac-sha1...@openssh.com,umac-64-e...@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-e...@openssh.com,hmac-sha1-96-e...@openssh.com,hmac-md5-96-e...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac-1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-m...@openssh.com,hmac-sha1...@openssh.com,umac-64-e...@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-e...@openssh.com,hmac-sha1-96-e...@openssh.com,hmac-md5-96-e...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac-1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

[Andrew Fu]

Where can I go to disable "Block project-wide SSH keys"?

Also, removing the SSH keys from the GCP console...I'm going to remove them from GCP under metadata->SSH Keys tab. Do I also need to remove them under metadata->metadata tab?

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384...@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384...@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-...@openssh.com,ssh-rsa-...@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256...@openssh.com

debug2: ciphers stoc: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256...@openssh.com

debug2: MACs ctos: umac-...@openssh.com,umac-128...@openssh.com,hmac-sha2-256...@openssh.com,hmac-sha2-512...@openssh.com,hmac-sha1-e...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-...@openssh.com,umac-128...@openssh.com,hmac-sha2-256...@openssh.com,hmac-sha2-512...@openssh.com,hmac-sha1-e...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zl...@openssh.com,zlib

debug2: compression stoc: none,zl...@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: MACs ctos: hmac-m...@openssh.com,hmac-sha1...@openssh.com,umac-64-e...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripemd160-e...@openssh.com,hmac-sha1-96-e...@openssh.com,hmac-md5-96-e...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac-1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-m...@openssh.com,hmac-sha1...@openssh.com,umac-64-e...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripemd160-e...@openssh.com,hmac-sha1-96-e...@openssh.com,hmac-md5-96-e...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac-1...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

[Andrew Fu]

Is it possible that it's blocking me because my username on my localmachine does not match up with the username on google cloud that I've been given access to? If so, do I just change my localmachine name to match the name on google cloud?

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256-...@openssh.com

debug2: ciphers stoc: chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256-...@openssh.com

debug2: MACs ctos: umac-...@openssh.com,umac-128-e...@openssh.com,hmac-sha2-256-e...@openssh.com,hmac-sha2-512-e...@openssh.com,hmac-sha1-etm@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-...@openssh.com,umac-128-e...@openssh.com,hmac-sha2-256-e...@openssh.com,hmac-sha2-512-e...@openssh.com,hmac-sha1-etm@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

[AsifT (Google Cloud Support)]

The "Block project-wide SSH keys" option is found on the instance's details page in GCP console under SSH Keys title.

You need to remove the keys only under Metadata --> SSH Keys.

Recreating the keys with 'compute ssh' command should resolve the naming mismatch. Have you tried SSH --> 'Open in browser window' with the same username?

[Andrew Fu]

I was able to get this to work by adding my public key under metadata->metadata tab.

For some reason, this is the only way it would work... even though the SSH keys showed under metadata->ssh keys.

Could it be because my command only specified the instance part and not the user? e.g. "ajc2" instead of myname@ajc2, where myname is the user that has permission to access this instance?

[AsifT (Google Cloud Support)]

You shouldn't have to edit Metadata->Metadata tab manually.

Try this:

1)- Delete the user's key under both (Metadata & SSH Keys) tabs.

2)- Update your SDK,

3)- Then 'gcloud compute ssh' using [USER@]INSTANCE